Contractors make the case for flexibility in a forthcoming Defense Department cybersecurity program

Ready or not, the Defense Department's Cybersecurity Maturity Model Certification Program is coming

Ready or not, the Defense Department’s Cybersecurity Maturity Model Certification Program is coming. The proposed rule has been out, and industry has been commenting on what contractors think will be an expensive burden. Attorney Bob Metzger of Rogers Joseph O’Donnell helped craft comments by the Coalition for Government Procurement. He joined the Federal Drive with Tom Temin earlier in studio.

Interview Transcript: 

Bob Metzger I think DoD wants to get this rule out and effective, really in October of 2024. They want to do that in part because there’s something called the Congressional Review Act, which gives Congress 60 continuous days in a single session to consider a major rule and decide whether to recommend to the president that it be vetoed in effect. Well, if they get the rule out close to the election, then the 60-day period would run into next year into the next session of Congress. And that would not only delay things into the first or second quarter of 2025, but if there was a president who was hostile to the rule, he could actually decide not to pursue it. So, DoD is, you know, their goal is to get this out in October. They’ve said that they intend to make this rule effective in fiscal 2025. That starts on October 1st of this year. But there are two parts to the rule. There’s this, proposed, part 32 of the Code of Federal Regulations, which DoD was kind enough to drop upon the industry the day after Christmas. It was 232 pages, I think, in length, in a single-spaced form, but it was reduced to just 81 pages in the Federal Register. That’s an absurdly long rule for something that really doesn’t change so much as what DoD had promised it would do. Well, there’s been a lot of comments. If DoD hoped that industry would say, great, we love it, just finish it. And therefore, DoD could finish its adjudication of comments quickly. I think DoD has got a little challenge because there are many. There are several hundred comments, and some of them are quick and light and little and easy, but there are quite a few that are very substantive.

Tom Temin And they’re not just robo comments where people send in 10,000 postcards. I mean, people are really thinking about this because what there’s a couple of hundred thousand companies potentially affected.

Bob Metzger Yeah, there’s 220,000 companies affected through all three levels of CMMC, and there are about 75,000 approximately who are at level two. Those are the ones who would require a certification assessment eventually. And then there’s about 1500 companies at level three, which is much more demanding. And they too would require an assessment, although in a different form. That’s a very large number of companies, each of which is different and all of which have a somewhat different perspective on this. And part of the challenge for this rule is to fit, you know, this large behemoth of, you know, intricacy of a maze upon an actual defense industrial base that isn’t the same anywhere. And to find something that actually can be practicable, affordable in terms of human and financial and technical resources and successful in actually elevating the protection of the DIB against the exfiltration of its sensitive information.

Tom Temin We’re speaking with attorney Robert Metzger of Rogers Joseph O’Donnell, and they also have the problem as backdrop of all of this, of a shrinking defense industrial base and a shrinking small business participation in the general federal procurement area as well. I think part of it is the just tremendous growth in requirements and compliance regulations that small business has to go through, not only in cybersecurity, but in a lot of other areas that accumulated. Companies would say, what do I need this for?

Bob Metzger That’s a fundamental tension. There are 70,000 or 75,000 companies, approximately, who have controlled unclassified information and have to go through a certification assessment when the time comes that the requirement is in their contract. 75% of those, or about 50,000, are in fact small businesses. Now, DoD has been telling industry forever that they already should be in compliance with the underlying cyber obligations of NIST special publication, 801-71. But there’s more to it than that, because it’s not just that you look at the 110 requirements that are in the rule. Those are just a single sentence each. You actually have to satisfy potentially all 320 assessment objectives that are in the assessment guide that accompanies the standard. And so, there’s kind of a little bit of an iceberg effect here. If all you had to do was to say that you were complying with the 110 standards, that’s relatively easy. But if a third-party assessor is going to look at your information system and then look for evidence to support your accomplishment of the 320 discrete assessment objectives. That means you’re going to be doing a lot more work ahead of time, spending a lot more money hiring experts. And this is a key issue. The deputy secretary of defense, Miss Hicks, has been vocal and repeatedly about the importance of keeping small businesses in the DIB. Even more important, she’s been emphasizing the need for national security to bring small and innovative companies into the DIB. But here we have this big burden of a well-intended cyber rule, and I’m not sure that DoD is quite sorted out how to reconcile the actual burdens and costs, you know, with the benefits. It will not help the DIB if significant participants who are small and medium decide to exit. Some of those are indispensable in a particular supply chain.

Tom Temin And getting to the coalition for Government Procurement comments. Your comments were 19 pages, pretty comprehensive. We can’t go through line by line, but essentially, what are you telling DoD? Scrap it, alter it, reduce it or what?

Bob Metzger Well, you know, we support the rule. But of course, every trade association begins every comment by saying that.

Tom Temin Yes, thank you for the opportunity. Yes.

Bob Metzger Believe in the national defense, etc., but we do support the rule because the reason behind this challenging rule is, is the acceleration and aggravation of threats. And it’s said explicitly in the rule that, threats have worsened since the CMMC program was, was initiated and threats could have devastating effects upon U.S. mission capability. If we can’t stop the Chinese and others from cyber infiltration of our defense industrial base. So, we have a couple of key points. One of them is that this rule has got to be made more flexible. You know, the way it’s written now is that there’s a little bit of play in the joints, but not much. And this just is not going to fit well. If you have this arcane maze with a long and complex rule behind it, and then you try to make it work for all 70,000 companies at level two and even 1500 at level three, we got to have more discretion. We got to find ways where we can accept that sufficiency is just that. In other words, instead of allowing assessors to maximize the demands and demand that every contractor being assessed have evidence for every one of the assessment objectives, and instead of insisting upon the most that you might do, we need to make it clear that companies can satisfy the requirements with a sufficient answer, even if there are other, maybe better or more expensive answers. This is crucial. Another point that we make is, concerns this level two. Sorry, level one. Level one is for federal contract information. That’s a FAR requirement. It has information of significance to all the civilian agencies and DoD, but 150,000 or so of the companies that are subject to CMMC are subject to this level one self-assessment and annual affirmation of their compliance. We say in the in the coalition’s comments that DoD ought to defer and maybe just decline to pursue. Level one is, you know, is it worth it? Level one is going to put 150,000 companies who aren’t expecting this through essentially the same assessment. Rigor is for just 15 requirements. And are they going to get something that’s meaningful? Federal contract information doesn’t have the same significance or impact to DoD. So, if we want to actually make this whole thing more plausible, we ought to think about postponing the level one affirmations. And, you know, and using the same assessment methodologies.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories